CVE-2025-13285 – CVE-2025-13285 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-13285?

CVE-2025-13285 has a CVSS score of 7.3 (HIGH). CVE-2025-13285 is an SQL injection vulnerability in itsourcecode Online Voting System 1.0 that allows attackers to manipulate database queries via the Username parameter in /login.php. This can lead to unauthorized data access, modification, or authentication bypass. Organizations using this specific voting system version are affected.

📋 TL;DR

CVE-2025-13285 is an SQL injection vulnerability in itsourcecode Online Voting System 1.0 that allows attackers to manipulate database queries via the Username parameter in /login.php. This can lead to unauthorized data access, modification, or authentication bypass. Organizations using this specific voting system version are affected.

💻 Affected Systems

Products:

itsourcecode Online Voting System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation; requires web server with PHP and database backend

📦 What is this software?

Online Voting System by Angeljudesuarez

View all CVEs affecting Online Voting System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, voter manipulation, system takeover, and potential election integrity breach

🟠

Likely Case

Unauthorized access to voter data, authentication bypass, and limited data manipulation

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH - Attack can be launched remotely and exploit is publicly available

🏢 Internal Only: MEDIUM - Internal attackers could exploit but external threat is primary concern

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit targets login page requiring no authentication; simple SQL injection techniques work

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative voting systems or implementing custom fixes with parameterized queries

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious requests

Input Validation Filter

all

Add input validation to sanitize Username parameter before processing

Add PHP code: $username = mysqli_real_escape_string($connection, $_POST['Username']);

🧯 If You Can't Patch

Isolate system in segmented network with strict access controls
Implement database user with minimal permissions (read-only where possible)

🔍 How to Verify

Check if Vulnerable:

Test login.php with SQL injection payloads like ' OR '1'='1 in Username field

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Verify parameterized queries are implemented and test with same SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple failed login attempts with SQL syntax in Username field

Network Indicators:

HTTP POST requests to /login.php containing SQL keywords in parameters

SIEM Query:

source="web_server.log" AND "login.php" AND ("SQL" OR "syntax" OR "' OR" OR "--" OR ";")

📊 Metadata

CVE ID: CVE-2025-13285

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.06% exploit probability (17.2th percentile)

Published: November 17, 2025

Last Updated: November 19, 2025

🔗 References

https://github.com/WANGshuyan2025/cve/issues/6 Exploit,Issue Tracking,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.332625 Permissions Required,VDB Entry
https://vuldb.com/?id.332625 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.690884 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.690887 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13285, you might also want to check these: